ExpertMedium1 markMultiple Choice
CPA · Question 08 · Area III: SOC Engagements
In a SOC 2® engagement, management asserts that they use a subservice organization for data center hosting. Management's description of the system excludes the controls performed by the data center. Which method of reporting is being used?
In a SOC 2® engagement, management asserts that they use a subservice organization for data center hosting. Management's description of the system excludes the controls performed by the data center. Which method of reporting is being used?
Answer options:
A.
Inclusive method
B.
Carve-out method
C.
Type I method
D.
Integrated method
How to approach this question
Distinguish between 'carve-out' (excluded) and 'inclusive' (included).
Full Answer
B.Carve-out method✓ Correct
Carve-out method
The carve-out method is used when the service organization's description excludes the subservice organization's controls. The auditor relies on the subservice organization's own SOC report (if available) or simply notes the exclusion.
Common mistakes
Confusing Inclusive and Carve-out.
Practice the full CPA ISC Practice Exam 2
82 questions · hints · full answers · grading
More questions from this exam
Q01A service organization provides a cloud-based payroll platform where clients access the software ...MediumQ02An auditor is reviewing the backup strategy for a financial institution that requires a Recovery ...HardQ03During a walkthrough of the change management process, an auditor observes that developers have w...MediumQ04An auditor is reviewing a SQL query used to generate a list of active customers for a marketing c...HardQ05Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?Medium